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On^Sage 1, under the heading FIELD OF THE INVENTION, insert the following: 

The present invention relates to regulating connectivity to and within communicability 
networks. More specifically, the present invention relates to a authenticating and establishing 
personalized network connectivity for local users of institutional communication networks. 

On mge 1 , under the heading "BACKGROUND OF THE INVENTION", the/irst paragraph 

should r^ad as follows: ■ __ 

Institutions are relying increasingly on their data communication network infrastructures for 
efficient communication and data transfer. With this increasing reliance on network computing has 
arisen a significant need for mechanisms to regulate connectivity and communicability to and within 
such networks. This need has been partially filled by interact protocol (IP) firewalls. IP firewalls 
typically restrict access to fixed sets of network resources by applying a set of protocol level filters 
on a packet-by-packet basis or by requiring prospective users to become authenticated before gaining 
access to the resources. Authentication has generally required users to supply certain signature 
information, such as a password. While this requirement of signature information has reduced the 
Q risk of unauthorized access to firewall-protected resources, firewalls have proven an imperfect and 

£jh ' ■ • 

A i inflexible regulatory solution. Because firewalls are protocol-specific, firewalls have not provided 



a means for regulating network connectivity in a multi -protocol , environment. Moreover, because 
firewalls regulate access to particular network resources, they have failed to provide a means for 
regulating access to sets of network resources which can vary as a function of user identity. 




On page 3, the paragraph beginning on line 18 should read as follows: 



Accordingly, there is a need for comprehensive services for regulating communicability in 
institutional networks which are not subject to the inflexibility of conventional user log-in 
mechanisms or the lack of consideration for user identity of conventional VLAN assignment 
techniques. There is also a need for services which authenticate local users of institutional networks 
before establishing network communicability. There is a further need for user authentication 
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services which provide collateral functionality, such as the ability to dynamically track the 
whereabouts of network users. 



On page 4, paragraph 2, beginning on line 10, the paragraph should read as follows: 



m 



It is therefore one object of the present invention to provide a service which authenticates 
local users before establishing network communicability. 



'On page 4, last paragraph beginning on line 21 and continuing through page 5, line 16, 

should read: 

These and other obj ects of the present invention are accomplished by a service which requires 
that local users be authenticated before gaining access to personalized sets of network resources. 
User identification information, time restrictions and authorized lists of resources for particular users 
are entered and stored in the network. Prior to authentication, packets from an end system being used 
by a prospective user of network resources are transmitted to an authentication agent operative on 
an intelligent edge ociated with the system. The agent relays log-in responses received from the 
system to a basic authentication server in the network for verification of the user. Verification is 
made by comparing log- in responses with the user identification information stored in the network 
and determining whether time restrictions associated with the user identification information are 
applicable. If the basic authentication server is able to verify from the log-in response that the user 
is an authorized user of network resources, and that the user is authorized to use the network 
resources at the time of the log-in attempt, the basic authentication server transmits to the agent the 
list of network resources for which the user is authorized, along with any time restrictions. The agent 
forwards the list of authorized network resources and time restrictions for storage and use on the 
edge device. The edge device uses the authorized list of resources and time restrictions to establish 
network communicability rules for the user. Preferably, the authorized list of network resources is 
a list of one or more VLANs. 



* |^age6, 



second paragraph shouldr^ad as follows: 
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In another aspect of the invention, when an authenticated user logs-off the network, or fails 
to transmit packets for a predetermined time, or if the system being used by the authenticated user 
is disconnected from the network, or if the authorized communicability period expires, or if the basic 
authentication server or other management entity instructs the agent to abolish the authenticated 
user's network communicability, the authenticated user's network communicability is deactivated. 



r/ ^ 

\ Piage 12 should read 



read as follows: 



Agent 400 also includes RSR.C RLY means 460. Means 460 serves to forward for storage 
and use on device 10 authorized communicability information received from server 320 for 
authenticated users of systems 40, 50, 60. Authorized communicability information may 
advantageously be transmitted by server 320 to agent 400 in the same data packet as user status 

W information. Authorized communicability information includes, for the particular one of the systems 

CO 

31. 40, 50, 60, a list of authorized network resources. Authorized communicability information may also 
'fi ffj include time restrictions, if any. Time restrictions preferably define times during which the particular 
user is authorized to use the network resources, such as the day of the week, the time of day, and the 
length of permitted access. The list of authorized network resources is preferably a list of VLAN 
identifiers. Authorized communicability information is preferably forwarded by agent 400 to 
management processor module 210 along with the authentication module identifier. Management 
processor module 210 preferably associates the authorized communicability information with a 
known address of the one of the systems 40, 50, 60 being used by the authenticated user and stores 
the pair in device records. The address is preferably a MAC address. 




Page 13, sec(md^§ub-paragraph numbered "2" and continuing to page 14, first two 
paragraphs should read as follows: 

2. If the destination address is not the address of another one of systems 40, 50, 
60 associated with device 10, resort is made to device records on device 10 
^ to retrieve the VLAN identifiers associated with the source system. The 

VLAN identifiers are appended to the packet and the packet is transmitted by 
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backbone module 220 for transmission on backbone network 30. When the 
packet arrives on the edge device (e.g., 15) associated with the destination 
system (e.g., 45), resort is made to device records on the edge device to verify 
that the source and destination systems share a common VLAN. If a VLAN 
is shared, the packet is forwarded to the destination system. If a VLAN is not 
shared, the packet is dropped. 
Packets addressed to unauthenticated systems in network 1 continue to be dropped. The 
foregoing rules maybe implemented using various known protocols. It will be appreciated that any 
addressable core, edge, or end devices, stations and systems in network 1 which are not subject to 
authentication requirements maybe treated as authenticated systems for purposes of transmitting and 
receiving packets under the foregoing rules. 

Agent 400 also includes ID TERM means 470. Means 470 serves, upon receipt of log-off 
commands from authenticated users, or upon expiration of the authorized communicability period, 
or when one of authenticated systems 40, 50, 60 is physically disconnected from network 1, or when 
one of authenticated systems 40, 50, 60 fails to send traffic for a prescribed length of time, or upon 
receipt of instruction from server 320, to deactivate the established network communicability. 
Means 460 forwards to management processor module 2 10 a request to remove from device records 
the address-authorized connectivity information entry for the user whose connectivity is to be 
deactivated. Upon receipt of such a request, management processor module 2 10 preferably removes 
the entry from device records and the authenticated one of systems 40, 50, 60 reverts to the 
unauthenticated state. 

Turning to Fig. 5, a functional diagram of basic authentication server 320 is shown. Server 
320 includes RSRC AUTH means 510. Means 510 serves to enable network administrators to define, 
on an individualized basis, authorized communicability 



16 a nd 17 are amended to read as follows: 

Server 320 also includes ID VER means 530. Means 530 serves to subject to a verification 
process authentication information received from users via agent 400. Means 530, upon receipt of 
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authentication information from agent 400, determines if the log-in response matches the user 
identification information associated with a user-specific entry in user records 330. If a match is 
found, and there are time restrictions associated with the user-specific entry, means 530 determines 
from the time restrictions if the user is authorized to use network 1 at the particular time. If the user 
is time-authorized or there are no time restrictions, means 530 generates authorized communicability 
information. Means 530 retrieves the list of authorized network resources associated with the 
matching user identification information in the generation of authorized communicability 
information. Authorized communicability information may also include any time restrictions. Means 
530 also generates user status information. User status information is information sufficient to 
communicate to agent 400 whether user identification information was successfully verified. User 
status information is preferably either a log-in valid or log-in invalid message. Means 530 transmits 
authorized communicability information and user status information to agent 400. Preferably, 
authorized communicability information and user status information are transmitted as part of the 
same data packet. If no match for user identification information is found, or if the user is not time- 
authorized, means 530 generates and transmits to agent 400 user status information, preferably in 
the form of a log-in invalid message, but does not generate or transmit authorized communicability 
information. Although the above described means operative on server 320 are described to be 
interoperative in conjunction with agent 400, it will be appreciated that the means are fully 
interoperative with other authentication agents residing on edge devices in network 1 . 

Server 320 also includes ID STOR means 540. Means 540 serves to forward for storage and 
use by a network administrator user tracking information. User tracking information is preferably 
retained for all log-in attempts made by prospective users, whether successful or unsuccessful. User 
tracking information may include, for each log-in attempt, any information learned from one or more 
of the following: user identification information, authentication information, user status information, 
authorized communicability information. User tracking information also may include the time of day 
the log-in attempt was made. The time of day may be kept on and obtained from server 320. Server 
320 preferably associates the user tracking information and stores the information as an entry in a 
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network activity database (not shown) that is accessible by or resides on station 20. Network activity 
database entries are accessible by a network administrator using interface 310. 

Server 320 also includes NET MNTR means 550. Means 550 serves to enable a network 
administrator to access and use user tracking information. Means 550 supplies a textual or graphical 
display to interface 310 operative to display user tracking information. Means 550 also enables a 
network administrator to generate user tracking information reports consisting of related information 
from one or more user tracking information entries. 

Client 360 further includes ED OFF means 640. Means 640 serves to initiate the log-off 
process by which authenticated users log-off the network 1. Means 640 supplies a textual or 
graphical display to user interface 350 operative to accept log-off commands. Means 640 transmits 
log-off commands to agent 400 for deactivation of established network connectivity. 
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The last paragraph on page 18 is amended to read as follows: 



etfuied 1 



Referring to Fig. 7, a network 7 operating in accordance with an alternative embodiment of 
the present invention is shown. In the alternative embodiment, an enhanced authentication method 
is conducted before network communicability is granted. 



/ The las^paragraph beginning on page 20 and continuing through the last paragraph on page 
21 should r^ad as follows: 



Q, 



Server 800 also includes ENH ED VER means 830. Means 830 serves, upon verifying log-in 
responses received from a user and that the user is authorized to use the network 7 at the time of the 
log-in attempt, to initiate an enhanced authentication method, if indicated. Means 830, upon 
determining that the log-in response matches user identification information associated with a user- 
specific entry in user records, and upon determining that the user is time-authorized if time 
restrictions are indicated, checks whether there is an enhanced authentication method associated with 
the matching user-specific entry. If an enhanced authentication method is indicated, means 820, 
before transmitting authorized communicability information and user status information to,the agent 
on the appropriate one of devices 7.10, 715, transmits a request to enhanced authentication server 
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770 to conduct an enhanced authentication session with the user. The enhanced authentication 
session is preferably conducted between enhanced server 770 and the user transparently to basic 
server 800. Enhanced server 770 instructs basic server 800 of the results of the enhanced 
authentication session. If the user was successfully authenticated, means 830 transmits to the agent 
authorized communicability information and user status information, preferably in the form of a log- 
in valid message. If the user was not successfully authenticated, means 830 transmits user status 
information, preferably a log-in invalid message, but no authorized communicability information. 
If an enhanced authentication method is not indicated when the check for an enhanced authentication 
method is performed, means 830 transmits to the agent authorizedcommunicability information and 
user status information, in the form of a log-in valid message, without engaging server 770. If a 
matching entry for user identification information is not found in user records, or if the user is not 
time-authorized, means 830 transmits to the agent user status information, in the form of a log-in 
invalid message, without transmitting authorized communicability information. 



r/ 
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e first paragraph on page 23 is amended as follows: 



Accordingly, once a determination is made that the user is time-authorized (1005), basic 
server 800 checks whether there is an enhanced authentication method associated with the matching 
entry (1010). If an enhanced authentication method is indicated, server 800 transmits a request to 
enhanced authentication server 770 to conduct an enhanced authentication session with the user 
(1015). Enhanced server 770 informs basic server 800 of the results of the enhanced authentication 
session. If the session was successfully completed (1020), basic server 800 transmits authorized 
^ communicability information and user status information, in the form of a log-in valid message, to 
the agent (1030). If enhanced session was not successfully completed (1025), basic server 800 
transmits a log-in invalid message to user and does not transmit authorized communicability 
information to agent. Agent also in that instance determines if user has made a configurable number 
of failed log-in attempts. The authentication session either continues or terminates as discussed 
depending on the outcome of that inquiry. If an enhanced authentication method is not indicated 
when the check for an enhanced authentication method is performed (1010), server 800 transmits 
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